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Abstract — In the splitting model, information theoretic authen- 
tication codes allow non-deterministic encoding, that is, several 
messages can be used to communicate a particular plaintext. 
Certain applications require that the aspect of secrecy should 
hold simultaneously. Ogata-Kurosawa-Stinson-Saido (2004) 
have constructed optimal splitting authentication codes achieving 
perfect secrecy for the special case when the number of keys 
equals the number of messages. In this paper, we establish a 
construction method for optimal splitting authentication codes 
with perfect secrecy in the more general case when the number 

, of keys may differ from the number of messages. To the best 

. knowledge, this is the first result of this type. 

I. Introduction 

The development of quantum computer resistant cryp- 
tographic schemes and security technologies is of crucial 
importance for maintaining cryptographic long-term security 

[ and/or confidentiality of digital data, as classical cryptographic 
primitives such as RSA, DSA, or ECC would be easily 

.broken by future quantum computing based attacks (e.g., [1], 

■ [2]). Application areas where cryptographic long-term security 
' and/or confidentiality is strongly required include archiving 

official documents, notarial contracts, court records, medical 
data, state secrets, copyright protection as well as further areas 
concerning e-government, e-health, e-publication, et cetera. 

To this end, one promising approach is the design of infor- 
■mation theoretic authentication and secrecy systems (e.g., [3], 
' [4]). The information theoretic, or unconditional, security 
■model does not depend on any complexity assumptions and 
I hence cannot be broken given unlimited computational re- 

■ sources. This guarantees not only resistance against future 
quantum computing based attacks but also perfect security in 
the classical world. 

This paper considers authentication and secrecy codes in the 
splitting model. Splitting is of importance, for instance, in the 
context of authentication with arbitration [5] (i.e., protection 
against insider attacks in addition to outsider attacks). Ogata- 
Kurosawa-Stinson-Saido [6] have constructed optimal split- 
ting authentication codes with perfect secrecy for the special 
case when the number of keys equals the number of messages. 
In this work, we develop a construction method for optimal 
splitting authentication codes with perfect secrecy in the more 
general case when the number of keys may differ from the 
number of messages. To the best knowledge, this is the first 
result of this type. Our simple yet powerful approach is based 



on the notion of cyclic splitting designs and establishes an 
efficient method to construct optimal splitting authentication 
codes with perfect secrecy. 

II. The Splitting Model 

We rely on the information theoretical, or unconditional 
secure, authentication model developed by Simmons (e.g., [7], 
[8]). Our notation follows [6], [9], [10]. In this model, three 
participants are involved: a transmitter, a receiver, and an 
opponent. The transmitter wants to communicate information 
to the receiver via a public communications channel. The 
receiver in return would like to be confident that any received 
information actually came from the transmitter and not from 
some opponent {integrity of information). The transmitter and 
the receiver are assumed to trust each other An authentication 
code is sometimes called, for short, an A-code. 

Let S denote a finite set of source states (or plaintexts), M. 
a finite set of messages (or ciphertexts), and £ a finite set of 
encoding rules (or keys). Using an encoding rule e G the 
transmitter encrypts a source state s G 5 to obtain the message 
TO = e(s) to be sent over the channel. The encoding rule is 
communicated to the receiver via a secure channel prior to 
any messages being sent. When it is possible that more than 
one message can be used to communicate a particular source 
state s G 5 under the same encoding rule e G then the 
authentication code is said to have splitting. In this case, a 
message to G is computed as m = e(s, r), where r denotes 
a random number chosen from some specified finite set TZ. If 
we define 



e(s) :— {to G M 



e{s,r) for some r G TZ} 



for each encoding rule e £ £ and each source state s G S, 
then splitting means that |e(s)| > 1 for some e <E £ and 
some s G S. In order to ensure that the receiver can decrypt 
the message being sent, it is required for any e £ £ that 
e(s) n e(s') = if s 7^ s' . For a given encoding rule e G £, 



let 



M(e) := y e{s) 



ses 



denote the set of valid messages. A received message to will 
be accepted by the receiver as being authentic if and only if 



m € M{e). When this is fulfilled, the receiver decrypts the 
message m by applying the decoding rule e^^, where 

e~^(m) ^ s if m — e(s, r) for some r eTZ. 

A spUtting authentication code is called c-splitting if 

|e(s)| = c 

for every encoding rule e e £ and every source state s £ 5. 
We note that an authentication code can be represented alge- 
braically by a \£\ x \S\ encoding matrix with the rows indexed 
by the encoding rules e G the columns indexed by the 
source states s G 5, and the entries defined by aes '■— e(s). 

We address the scenario of a spoofing attack of order i 
(cf. [11]): Suppose that an opponent observes i > distinct 
messages, which are sent through the public channel using the 
same encoding rule. The opponent then inserts a new message 
to' (being distinct from the i messages already sent), hoping to 
have it accepted by the receiver as authentic. The cases i — Q 
and i — \ are called impersonation game and substitution 
game, respectively. 

For any i, we assume that there is some probability dis- 
tribution on the set of i-subsets of source states, so that any 
set of i source states has a non-zero probability of occurring. 
For simplification, we ignore the order in which the i source 
states occur, and assume that no source state occurs more 
than once. Given this probability distribution on the set S 
of source states, the receiver and transmitter also choose a 
probability distribution on the set S of encoding rules, called 
an encoding strategy. It is assumed that the opponent knows 
the encoding strategy being used. If splitting occurs, then 
the receiver/transmitter will also choose a splitting strategy to 
determine m £ M, given s € S and e G f (this corresponds 
to non-deterministic encoding). The transmitter/receiver will 
determine these strategies to minimize the chance of being 
deceived by the opponent. The deception probability Pd^ 
denotes the probability that the opponent can deceive the 
transmitter/receiver with a spoofing attack of order i. 

III. Combinatorial Splitting Designs 

The notion of splitting balanced incomplete block designs 
and, more generally, that of splitting i-designs have been 
introduced in [6] and [10], respectively. 

Definition 1: For positive integers t, v, b, c, u, A with t < u 
and CM < f, a t-(v, b, I = cu, A) splitting design 2? is a pair 
{X, B), satisfying the following properties: 

(i) X is a set of v elements, called points, 

(ii) S is a family of ^-subsets of X, called blocks, such that 
every block Bi ^ B [1 < i < \B\ ~: b) \s expressed as 
a disjoint union 

Bi = Bi^i U • • • U Bi u 
with l-Bi.il — ■ ■ ■ — \Bi,u\ — c and \Bi\ — I = cu, 

(iii) every t-subset {xmYm=i'^^ ^ is contained in exactly A 
blocks Bi = Bi i U • • • U Bi ^ such that 



for each 1 < m < i, and ji, . . . , jt are mutually distinct. 

We summarize some basic conditions concerning the exis- 
tence of splitting designs (cf. [6], [10]). 

Proposition 1: Let V — {X, B) be a t-{v, b, I — cu, A) 
splitting design, and for a positive integer s < t, let S C X 
with 15*1 = s. Then the number of blocks containing each 
element of S as per Definition 1 is given by 



A. = A- 



(n) 



(n) ■ 

In particular, for t > 2, a t-{v,b,l = cu, X) splitting design is 
also an s-{v, b, I = cu, Xs) splitting design. 

Proposition 2: Let V — {X,B) be a t-{v,b,l ^ cu, X) 
splitting design. Let r := Ai denote the number of blocks 
containing a given point. Then the following holds: 

(a) bl = vr. 

(c) rc*-i(u - 1) = A2(w - 1) for t > 2. 
Proposition 3: Let V = {X,B) be a t-{v,b,l — cu,X) 
splitting design. Then 



A 



t - s 



mod c 



t - s 



for each positive integer s < t. 

Proposition 4: If V = {X, B) is a t-{v, b, I = cu, A) split- 
ting design with t >2, then 



b> -. 



IV. Optimal Splitting Authentication Codes 

We state lower bounds on cheating probabilities for splitting 
authentication codes (cf. [12], [13]). 

Theorem 1: In a splitting authentication code, for every < 
i <t, the deception probabilities are bounded below by 

A/(e)| — i ■ maxsg5 |e(s)| 



Pd- > min ■ 



\M\ 



A splitting authentication code is called t-fijld secure 
against spoofing if 



Pl 



. Af(e) - I ■ maxsgs e(s) 
fTTi ■ 



for alio <i<t. 

We indicate a lower bound on the size of encoding rules for 
splitting authentication codes (see [10], and [14], [15] for the 
case t = 2). 

Theorem 2: If a splitting authentication code is (t — l)-fold 
secure against spoofing, then the number of encoding rules is 
bounded below by 



\M\ 



i=0 



|M(e)| - i ■ maxsgg |e(s)| ' 



2Jn 



{jm between 1 and u) 



A splitting authentication code is called optimal if the 
number of encoding rules meets the lower bound with equality. 



Corollary 1: In a c-splitting authentication code, 



for every < i < t. 

Corollary 2: If a c-splitting authentication code is {t — 1)- 
fold secure against spoofing, then 

(\M\\ 
\£\ > ^ t ' 

Optimal splitting authentication codes can be characterized 
in terms of splitting designs (see [10], and [6] for the case 
< = 2) as follows. 

Theorem 3: Suppose there is a t-{v,b,l = cu,l) splitting 
design with t > 2. Then there is an optimal c-splitting 
authentication code for u equiprobable source states, having 
V messages and (")/[c*(")] encoding rules, that is (t — 1)- 
fold secure against spoofing. Conversely, if there is an optimal 
c-splitting authentication code for u source states, having v 
messages and (")/[c*(")] encoding rules, that is (t — l)-fold 
secure against spoofing, then there is a t-{v, b, I = cu, 1) 
splitting design. 

V. Optimal Splitting Authentication Codes with 
Perfect Secrecy 

In what follows, we are interested in optimal splitting au- 
thentication codes that simultaneously achieve perfect secrecy. 
According to Shannon [16], an authentication code is said to 
have perfect secrecy if 

ps{s\m) = ps{s) 

for every source state s E S and every message m e Ai, that 
is, the a posteriori probability that the source state is s, given 
that the message m is observed, is identical to the a priori 
probability that the source state is s. 

By introducing the notion of an external difference family 
(EDF) (which yields a certain type of a splitting design), 
Ogata-Kurosawa-Stinson-Saido [6, Thm. 3.4] have given a 
construction scheme for optimal splitting authentication codes 
with perfect secrecy in the special case when the number of 
keys equals the number of messages. 

Theorem 4: Suppose there exists a (w, c, 1) w-EDF over an 
Abelian group of order v, then there is an optimal c-splitting 
authentication code for u equiprobable source states, having v 
messages and v encoding rules, that is one-fold secure against 
spoofing and simultaneously achieves perfect secrecy. 

An example is as follows (cf. [6, Exs. 2.3 & 5.2]). 

Example 1: An optimal 2-splitting authentication code for 
M = 2 equiprobable source states, having v — % messages 
and 5 = 9 encoding rules, that is one-fold secure against 
spoofing and achieves perfect secrecy can be constructed from 
a 2-(9, 9, 4 = 2 X 2, 1) splitting design. Each encoding rule is 
used with probability 1/9. An encoding matrix is given in 
Table I. 



table I 

Splitting authentication code with perfect secrecy from a 

2-(9, 9,4 = 2x2,1) SPLITTING DESIGN. 





^1 


-52 


ei 


{1.2} 


{3,5} 


62 


{2,3} 


{4,6} 


63 


{3,4} 


{5,7} 


64 


{4,5} 


{6,8} 


65 


{5,6} 


{7,9} 


66 


{6,7} 


{8,1} 


67 


{7,8} 


{9,2} 


68 


{8,9} 


{1,3} 


69 


{9,1} 


{2,4} 



In the following, we develop a construction method for 
obtaining optimal splitting authentication codes with perfect 
secrecy in the more general case when the number of keys 
may differ from the number of messages: 

(1) We first introduce the notion of a cyclic splitting design. 
Let V — (X, IS) be a 2-(w, 6, / = cu, A) splitting design, 
and let ct be a permutation on X. For a block Bi = 
{_Bj,i, . . . , _Bj,„} e B given as in (ii) of Definition 1, 
define -.^{Bl^, BfJ, satisfying 

B: = Bl, U---UBl^ 

with \BIj^\ = ■■■ = \Bl^\ = c and \Bf\ = I = cu. If 
B"' {B^ : B, e B,l <i <b} ^ B, then a is called 
an automorphism of D. If there exists an automorphism 
a of order v, then V is called cyclic. In this case, the 
point-set X can be identified with Z„, the set of integers 
modulo V, and a can be represented hy a : j ^ j + 1 
(mod v). For a block Bi — {-Bi.i, . . . , Sj,u}, the set 

Bi + i := {B,„i + i (mod w), . . . , B,^u + j (mod v)} 

for j e Z„ is called a translate of Bi, and the set of 
all distinct translates of Bi is called the orbit containing 
Bi. If the length of an orbit is v, then the orbit is said 
to be full, otherwise short. A block chosen arbitrarily 
from an orbit is called a base block (or starter block). 
For a cyclic 2-(t;, 6, 1 = cu, 1) splitting design to exist, 
a necessary condition is v = 1 or / (mod u{u — l)c^). 
When V = 1 (mod u{u — l)c^) all orbits are full. 

(2) Let us assume that there exists a cyclic 2-{v, b, I ~ cu, 1) 
splitting design without short orbit. Then, by Theo- 
rem 3, there is an optimal c-splitting authentication code 
for u equiprobable source states, having v messages 
and (2)/[c^(2)] encoding rules, that is one-fold secure 
against spoofing. Furthermore, when considering the 
corresponding bxu encoding matrix, it follows by con- 
structional reasons from the underlying cyclic spUtting 
design without short orbit that the code simultaneously 
achieves perfect secrecy under the assumption that the 
encoding rules are used with equal probability. 

Hence, we have proved the following theorem. 



Theorem 5: Suppose there is a cyclic 2-{v, b, I — cu, 1) 
splitting design without short orbit (that is, it holds that 

V = 1 (mod u{u — l)c^)). Then there is an optimal c-splitting 
authentication code for u equiprobable source states, having 

V messages and (2)/[c^(2)] encoding rules, that is one-fold 
secure against spoofing and simultaneously achieves perfect 
secrecy. 

Relying on some recent constructions of splitting designs 
(cf. [17, Sect. 3.2]), we give exemplarily a series of optimal 
splitting authentication codes with perfect secrecy. 

Example 2: (i) An optimal 2-splitting authentication 
code for u = 2 equiprobable source states, having 
V — 17 messages and 6 = 34 encoding rules, that is one- 
fold secure against spoofing and achieves perfect secrecy 
can be constructed from a cyclic 2-(17, 34, 4 = 2x2,1) 
splitting design with base blocks {{1, 2}, {3, 5}} and 
{{1, 2}, {11, 13}}. Each encoding rule is used with 
probability 1/34. An encoding matrix is given in Ta- 
ble II. 

(ii) As generalization of (i), an optimal c-splitting authen- 
tication code for u = 2 equiprobable source states, 
having v — 2c^n + 1 messages and b — {2c^n + l)n 
encoding rules, that is one-fold secure against spoofing 
and achieves perfect secrecy can be constructed from a 
cyclic 2-(2c^n + 1, (2c^n + l)n, / = c x 2, 1) splitting 
design with base blocks {{1, 2, . . . , c}, {2c^h — (2c^ — 
c) + 1, 2c^h - (2c2 - c) + c + 1, . . . , 2c^h ~ (2c2 - c) + 
c(c - 1) + 1}} for all 1 < /i < n . 

(iii) Further examples of splitting authentication codes with 
perfect secrecy, also for u > 2, can be obtained in the 
same way from various further constructions of splitting 
designs in [17, Sect. 3.2]. 
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